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Abstract. Testing efficiently whether a finite set Y with a binary operation • over 
it, given as an oracle, is a group is a well-known open problem in the field of property 
testing. Recently, Friedl, Ivanyos and Santha have made a significant step in the direction 
of solving this problem by showing that it is possible to test efficiently whether the input 
(r, •) is an abelian group or is far, with respect to some distance, from any abelian group. 
• In this paper, we make a step further and construct an efficient quantum algorithm that 

Qh| tests whether (T, •) is a solvable group, or is far from any solvable group. More precisely, 

the number of queries used by our algorithm is polylogarithmic in the size of the set Y. 

a 

1 Introduction 

In property testing, the problem considered is to decide whether an object given as an oracle has 
some expected property or is far from any object having that property. This is a very active research 
area and many properties including algebraic function properties, graph properties, computational 
Q\ ! geometry properties and regular languages were proved to be testable. We refer to, for example, 

[T5] IT9] for surveys on classical property testing. Quantum testers have also been studied [Til 05] > 
£f) • and they are known to be strictly more powerful than classical testers in some cases [TJ [16] . 

. In this paper, we focus on testing group-theoretical properties. A famous example is testing 

whether a function / : G — > H, where H and G are groups, is a homomorphism. It is well known 
that such a test can be done efficiently El [21] . Another kind of problems deals with the case 
where the input is a finite set Y and an oracle of a binary operation • : Y x Y — > Y over it. A 
classical algorithm testing associativity of the oracle • using 0([r| 2 ) queries to the oracle has been 
constructed by Rajagopalan and Schulman [18j, and Ergiin et al. [8] have proposed an algorithm, 
using 0(|r|) queries, testing if ■ is close to the multiplication of a group. But notice that, since each 
element in Y needs G(log |r|) bits to be encoded, the query complexities of these algorithms can be 
considered as exponential in the input length when not Y, but only |T| is given (e.g., Y is supposed to 
be the set of binary strings of length [~log 2 |T|] ). Designing an algorithm deciding whether (T, •) is a 
group that uses a number of queries to • polynomial in log \Y\ is indeed a well-known open problem. 
Recently, Friedl et al. [10] have made a significant step in the direction of solving this problem by 
constructing a classical algorithm with query and time complexities polynomial in log |T| that tests 
whether (r, •) is an abelian group or is far from any abelian group. 

In this work, we make a step further and construct an efficient quantum algorithm that tests 
whether (T, •) is a solvable group or the distance between (T, •) and any solvable group is at least 
e | r | 2 . More precisely, our algorithm uses a number of queries polynomial in log |T| and e" 1 , and its 
time complexity is polynomial in exp((loglog |r|) 2 ) and e , i.e., subexponential in log \Y\. Notice 
that the class of solvable groups is far much larger than the class of abelian groups and includes a 
vast class of non-abelian groups. To deal with those groups, we introduce new ideas relying on the 
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ability of quantum computation to solve fundamental group-theoretical problems, such as finding 
orders of elements or working with superpositions of all the elements of a subgroup. 

Besides the theoretical interest of this result, our algorithm can be used when studying group- 
theoretical problems where the input is a black-box solvable group (i.e., given as a set a generators 
and an oracle performing group operations) . Most known algorithms for such problems can have an 
unpredictable behavior when the input is not a solvable group. By applying our algorithm we can 
detect (in the quantum setting) if the input is far from any solvable group, and we thus obtain robust 
versions of the quantum algorithms already known for solvable black-box groups [T3l HHI [23] . We 
also hope that this will be useful to design new quantum property testers or group-theoretical 
quantum algorithms. In particular, our tester may be useful when considering quantum versions of 
classical algorithms solving problems over black-box solvable groups [U EJ EJ 0] as well. 

Finally, we believe that our quantum algorithm may also be a first step in the direction of designing 
efficient classical testers for solvable groups. Indeed, the efficient classical tester for abelian groups 
proposed by Friedl et al. |10| was inspired by a quantum algorithm solving the same problem. In 
this case, they were able to "dequantumize" the algorithm. A similar approach may be possible for 
our algorithm too. 

2 Definitions 

2.1 Distances between sets 

Let r be a set and • : T x T — > X a binary operation over it, where X is some set. We say that 
such couple (r, ■) is a pseudo-magma. If X C T, we say that (r, •) is a magma. When there is no 
ambiguity we will denote a pseudo- magma or a magma (r, •) simply by T. We now define a distance 
between two pseudo-magmas. In this paper we adopt the so-called edit distance. This is the same 
distance as the one used by Friedl et al. [10J. 

Define a table of size k as a k x k matrix with entries in some arbitrary set. We consider three 
operations to transform a table to another. An exchange operation replaces elements in a table by 
arbitrary elements and its cost is the number of replaced elements. An insert operation at index i 
inserts a row and a column of index i. Its cost is Ik + 1 if the original table is of size k. A delete 
operation at index i deletes both the row of index i and the column of index i, giving a table of size 
(k - 1) x (k - 1). Its cost is (2k - 1). 

Let (r, •) be a pseudo-magma, with • : T x T — > X. A multiplication table for T is a table of 
size |r| with entries in X for which both rows and columns are in one-to-one correspondence with 
elements in T, i.e., there exists a bijection a : {1, • • • , |r|} — > T such that the element in the i-th row 
and the j-th column is cr(i) ■ o~(j). The distance between two pseudo-magmas is defined as follows. 

Definition 1. The edit distance between two tables T and T' is the minimum cost needed to trans- 
form T to T by the above exchange, insert and delete operations. The edit distance between two 
pseudo-magmas V and V , denoted d(T,T'), is the minimum edit distance between T and T' where 
T (resp. T' ) runs over all tables corresponding to a multiplication table ofT (resp. V). For 5 > 0, 
we say that a pseudo-magma T is 5-close to another pseudo-magma V if d(T, V) < 5. Otherwise 
we say that T and V are 5 -far. 

Notice that if the sizes of T and T' are the same, then the edit distance becomes the minimal 
Hamming distance of the corresponding tables. 

2.2 Property testing of group solvability 

In this paper we assume that the reader is familiar with the standard notions of group theory. 
We refer to any standard textbook for details. For completeness, we only recall the definition of 
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solvable groups. 

Definition 2. A group G is solvable if there exists a collection of subgroups Go, . . . , Gk of G such 
that: 

(i) for each < j < k, the subgroup Gj~i is normal in Gj and Gj/Gj-i is cyclic; 

(ii) {e} = G < • • • < G k = G. 

We now give our definition of a quantum property tester of group solvability. We define such 
a tester as a quantum algorithm s$ receiving as input a magma (r, •). More precisely, the actual 
input of the algorithm is the value |T|, and two oracles are available: an oracle that generates 
random elements in T (the details of the implementation of this oracle are not essential because this 
oracle will only be used in a classical subprocedure), and a quantum oracle that performs the binary 
operation •. Since the elements of V can be encoded by binary strings of length k = |~log 2 |T|], we 
identify the elements with their encoding and suppose that this quantum oracle performs the map 
\g)\h)\c) (— > |<?)|/i)|c0 g ■ h), where g and h are elements in T and c is a string in {0, l} fc . We denote 
by ffJ (r) the behavior of the algorithm si on an input (r, ■) given in this way. A more formal 
definition of a quantum property tester can be given but the following definition will be sufficient 
for our purpose. 

Definition 3. Let d be the distance defined in Subsection \2. 1\ A quantum e-tester of group solvability 
is a quantum algorithm such that, for any magma (T, ■), the following holds: 

( Pr[s/(T) accepts] > 2/3 if d(T, S fi ) = 
\ Pr[^(r) rejects) > 2/3 ifd(T,y) > e\T\ 2 . 

Here we use d(T,y) to represent ir&Q^y d(T,G), where 5? denotes the set of finite solvable groups. 

Notice that, a priori, requiring that the oracle is quantum may seem to give a problem different 
than in the classical setting, where the oracle is classical. But this is not really the case: if a classical 
procedure that computes the product g ■ h from g and h is available, such a quantum oracle can be 
effectively constructed using standard techniques of quantum computation [T7] . 

The main result of this paper is the following theorem. 

Theorem 4. There exists a quantum e-tester of group solvability that uses a number of queries 
polynomial in log |T| and e~ x . The running time of this algorithm is polynomial in exp((loglog |r|) 2 ) 
and e _1 . 

2.3 Quantum algorithms for solvable groups 

As stated in the following theorem, efficient quantum algorithms for studying the structure of 
solvable groups have been constructed by Watrous [23J. Our algorithm deeply relies on these 
algorithms. 

Theorem 5. (]23^) Let G be a solvable group given as a black-box group. Then there exists a 
quantum algorithm running in time polynomial in log |C| that outputs, with probability at least 
3/4, t = 0(log|G|) elements hi,...,h t of G and t integers mi, . . . ,m t such that, if we denote 
Hi = (hi, . . . ,hi) for 1 <i <t, the following holds. 

(a) {e} = H < Hi < ■ ■ ■ < H t -i <H t = G; and 

(b) Hi/Hi-i is cyclic, for 1 < i < t, with \Hi\/\Hi—\\ = mi. 



3 



Moreover, given any < i < t, and any element g in Hi, there exists a quantum algorithm running 
in time polynomial in log \G\ that outputs, with probability at least 3/4, the (unique) factorization 
of g over Hi, i.e., integers a±, . . . , ai with each au € 7L mh , such that g = h^h°i~i • • • h® 1 . 

In the algorithm of Theorem [5j the group is supposed to be input as a black-box group: the 
input is a set of strings representing a set of generators of the group and an oracle performing 
the group product is available. The oracle necessary for Watrous's algorithm |23] is the map 
\g)\h)\c) i — y \g)\h)\c(B g ■ h), for any elements g,h € G and any string c in {0, l} k . Notice that this is 
the same oracle as the one given to a quantum tester of group solvability as defined in Subsection 

E31 

3 Our Quantum Algorithm 

In this section we describe our quantum algorithm. We first give an overview of the algorithm in 
Subsection 13. 11 Then, in Subsection 13.21 we explain the details. Finally, we analyse its correctness 
and complexity in Subsection 13.31 

3.1 Outline of our algorithm 

Our algorithm consists of four parts. 
Decomposition of T 

We first construct, using Theorem t = 0(log |T|) elements hi, . . . ,ht of V that satisfy, if T is a 
solvable group, the relations {e} = Hq<Hi = (hi}<- ■ -<Hi = (hi, ■ ■ ■ ,hi)<i- ■ -<\H t = (hi, ■ ■ ■ ,h t } = 
r, where each Hi is a subgroup of T, normal in fli+i, such that Hi+i/Hi is cyclic. If V is a solvable 
group, this decomposition gives a so-called power-conjugate presentation of T. If T is not a solvable 
group, these elements hi,...,ht will still define some pseudo- magmas Hq, . . . ,Ht, although in general 
these sets satisfy no group-theoretic property (in particular, they are not necessarily magmas). 

Test of embedding 

Then, we take sufficiently many elements of T and check that they are all in Hf. Success of this 
test implies that |T\ii^| is small enough. Of course, if T is a solvable group, then T = Ht with 
high probability and this test always succeeds. Assume that T is far from any solvable group Ht. If 
the test succeed, since the inequality d(T,Ht) < d(T,Ht) + d(Ht,Ht) holds for any solvable group 
H t , this will imply that H t is far from any solvable group H t too (because the value of d(T, H t ) is 
basically a function of |T\i?t|, and thus small). 

Construction of the group Gt 

We construct, using the information about the structure of V obtained at the first part of the 
algorithm, t solvable groups Gi, . . . , Gt and a function ip : Gt — > Ht in a way such that, if T is a 
solvable group, then ip is a group isomorphism from Gt to Ht- 

Test of homomorphism 

Finally, the algorithm will test whether tfj is "almost" an homomorphism. We will show that this 
test is robust: if ip is close to an homomorphism, then Ht is close to the solvable group Gt- If Ht is 
far from any solvable group, then this cannot hold and the homomorphism test must fail with high 
probability. 

Again, the similar idea of constructing a group G, a function tp : G — > V and use homomorphism 
tests was at the heart of the property tester for abelian groups proposed by Friedl et al. [TU] and 
inspired this work (notice that the Friedl et al. first constructed a quantum property tester for 
abelian groups, and then were able to remove the quantum part in their algorithm). However there 
are new difficulties that arise when considering property testers for solvable groups. The first one is 
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that analyzing the decomposition the H^s is more difficult and the power of quantum computation 
seems necessary to perform this task efficiently. The second complication is that, now, the groups 
Gj's we are considering are solvable, i.e., in general not commutative. In this case, we have to be 
very careful in the definition of Gi and additional tests have to be done to ensure that the Gj's we 
define are really groups. 

3.2 Algorithm 

Our algorithm appears in Figure 1 and each of the four parts are explained in details in Subsections 
13.2.11 to 13.2.41 If all the tests performed succeed, we decide that T is a solvable group. Otherwise 
we decide that V is (e|T| 2 )-far from any solvable group. 



PART I: Decomposition of T 

1. Take 0(log |T|) random elements uniformly and independently in T. 

2. Use the first algorithm of Theorem [5] on them and obtain the set {hi, . . . , ht} and integers 
mi, ...,m t . 

3. For each % € {1, . . . , t}, use Shor's order finding algorithm on hi and obtain some integer m. 

4. Compute the decompositions of all h™* and h™^ 1 ■ (h^ ■ hi) over £fj_i, for i 6 {1, ... ,£} 
and k €. {1, — 1}, and check the obtained decompositions. 

PART II: Test of embedding 

5. Check that |T| = mi x • • • x m t and |r\iJ t |/|T| < e/4. 
PART III: Construction of the group Gt 

6. For j from 2 to t check that Conditions (a), (b) and (c) of Proposition [7] hold. 
PART IV: Test of homomorphism 

7. Check that Pr^g^ [ip(x o y) = tp(x) ■ ip(y)] > 1 — r] with rj = e/422. 

Figure 1: Quantum e-tester of group solvability 

3.2.1 Decomposition of T 

The first step in our algorithm finds a power-conjugate representation of T when T is a solvable 
group. We will prove that when T is far from any solvable group, then the output of this step 
cannot be a power-conjugate representation of a group close to T and that this can be detected by 
our algorithm at part II, III or IV. 

We begin by picking s = 0(log|r|) random elements «i,-- - , a s uniformly and independently 
from the ground set T. For simplicity, we first suppose that T is a solvable group, and then discuss 
the general case. 

Case where T is a solvable group. Denote V = (a%,--- ,a s ). Then, with high probability, 
r = r'. Here we rely on the standard fact in computational group theory that, for any group K, 
©(log \K\) random elements taken uniformly in K constitute, with high probability, a generating 
set of K. We now run the first algorithm of Theorem [S] with input V presented as a black-box 
group as follows: ati, ■ ■ ■ ,a s is the set of generators and the operation • is the oracle performing 
group multiplication. The output of the algorithm is then, with high probability, a set of t elements 
h%, . . . , ht of r and t integers mi, . . . ,nit such that, if we denote H, L = [hi, . . . , hi) for 1 < i < t, the 
following holds: 
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(a) {e} = H < Hi < • • ■ < H t -i < H t = V; and 



(b) Hi/Hi-i is cyclic for 1 < i < t and satisfies = mi. 

We then use Shor's quantum algorithm |20j to compute the order rii of each hi in T. Moreover, we 
further analyze the structure of V and use the second algorithm of Theorem [5] to decompose the 
elements h 7 ™' and W % ~ ■ (hk • hi) over for each i £ {2, . . . ,t} and each k 6 {1, . . . ,i — 1}. 

Notice that, indeed, each /i™' and h^~ l ■ (hk ■ hi) = h~ x ■ hk • hi are in i when T is a solvable 
group. We denote the decompositions obtained by 

hp = hfl ■[■■■■ [hf ■ [hf ■ hf^ for 2 < i < t, (1) 

■(h k -h l ) = h^ 1 •(••••( • ( K' 2 ■ hi' 1 ))) tovl<k<i<t, (2) 

where each rf' and each si*l are in Z m£ . (The parentheses are superfluous when • is associative, 
but not in the general case we discuss below.) 



General Case. In general, we do not know whether T is a solvable group or not but we do exactly 
the same as above: we first run the first algorithm of Theorem [5] on the set {a±, ■ ■ ■ , a s } with the 
oracle •. If this algorithm errs, we conclude that T is not a solvable group (this decision is correct 
with high probability because, if T is a solvable group, then the algorithm of Theorem [5] succeeds 
with high probability). Now suppose that we have obtained elements hi, . . . , ht and a set of integers 
mi, . . . ,mt- We define the following sets by recurrence: Hi = {h\\a € Z mi }, and, for 2 < j < t, 
Hj = {hj ■ h\a £ "L m . , h G Hj-i}. Here, and in many other places in this paper, we use the notation 
h r , for h € r and r > 1, to denote the product h •(•••• (h ■ {h ■ h))), since • is not in general 
associative. Moreover we use the convention h° = h™ 1 for any h € T. Notice that the value of h r 
can be computed using O(logr) queries to the oracle • using repeated squaring methods. 

Notice that, in general, the pseudo- magmas H^s have no group-theoretical structure at all (in 
particular they may not be magmas). We then use Shor's order finding algorithm [20] on each hi 
and obtain some integer n^. Then we run the second algorithm of Theorem [5] to decompose the 
elements h™* and h^~ l ■ (hk ■ hi) over for each i E {2, . . . , t} and each k 6 {1, . . . , % — 1}. If the 

algorithm errs or outputs something irrelevant, we conclude that T is not a solvable group. Suppose 
that the algorithm succeeds and outputs decompositions. We use the notations of Equations ([T]) 
and ([2|) to denote the decompositions obtained. We check whether these decompositions are correct, 
i.e., we compute the right sides of Equations (Jl]) and ([2]) and check that they match the left sides. 
If they are correct, we move to the next step (Subsection 13.2.2]) . Otherwise, we conclude that T is 
not a solvable group. 

3.2.2 Test of embedding 



In the second part of our algorithm, we first check that |T| = mi x • • • x mt. Then, we want to check 
whether |r\fft| is small enough. Otherwise we conclude that T is not a solvable group. Indeed, if 
r is a group, then with high probability (on the choice of ai, . . . , a s and on the randomness of the 
algorithm of Theorem [5]) T = Ht. 

More precisely we check whether |r\^|/|r| < e/4 holds. In order to perform this test, we simply 
take ci elements of T and check whether they are all in Ht (by using the second algorithm of Theorem 
[5] and checking the obtained decompositions). It is easy to show that, when taking ci = 0(e _1 ), we 
can detect whether |r\if^|/|r| > e/4 with constant probability. 
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3.2.3 Construction of the group Gt 



We now show how to construct an abstract group Gt defined by the power-conjugate presentation 
found in Part I of our algorithm (Equations ([1]) and ([2j) ) when such a group exists, i.e., when the 
presentation is consistent with the definition of a group. 

We first define by recurrence the family of magmas {Gj}i<j<t, where each Gj is equal (as a set) 
to Z mj x • • • x Z TO1 . G\ is defined as the cyclic group (Z mi , +), where + is the addition modulo m\. 

For any i G {2, . . . , t}, denote by Ui the element (r^_ 1; . . . , rf^) of Gi—\ and, for any i G {2, . . . , t} 

and k £ {1, . . . , i — 1}, denote by the element (sj^_ l3 . . . , s^\) of G%-\. 

Definition 6. Define G\ = (Z mi , +) and, for 2 < j < t, let Gj be the magma (Z TO . x Gj—i, Oj) with 

a + b, (jjp (x) oj_i yj if a + b < rrij 

a + b — rrij, Uj Oj_i cp^ (x) Oj-\ yj if a + b> rrij 

where (j)j : Gj—x — > Gj-i maps any element (cu-i, ■ ■ ■ ,a\) of Gj-i to the element 
(f>j((a,j-i, • • • , ai)) = v^Y-i (" ' " ( v jfi v j}u) °f Gj-i, and (f>^p means cfij composed by 
itself b times. 

We will usually denote Oj or Oj_i simply by o when there is no ambiguity. 

In order to illustrate this definition, let us consider the case where all the Hj's are solvable groups. 
In this case, each Hj = {h- j /i" 1 | aj € Z mj . } is in bijection with, ^rnj x • • ■ x ^rnx 

(as a set). 

Fix a j and consider Hj. Each element h^ j ■ ■ ■ h°^ is associated with the element (aj, . . . , a\) of Gj. 
Now the element (j)j((aj-i, ■ ■ ■ ,ai)) corresponds to the element 

/ ,G0 -GO \ a i-i / .GO 9 (i)\ a i 

hj 1 ■ a*/ ; -h?).h J = [i.- ; ; . . . j • . . ^7 , 1 • • • /,;■•••) . 

In other words, the map <pj in Gj-\ corresponds to the automorphism h i— > h~ 1 hhj of Hj. For any 
two elements g and 5' in Hj-\, since h a - ■ g ■ h h - ■ g' = h°j +b ■ (h~ b ■ g ■ h b ) ■ g' we see that the Gj's are 
defined to be isomorphic to the Hj J s in the case where the Hj J s are solvable groups. 

If the -ff/s are not groups, then the Gj's constructed in Definition [6] are not necessarily groups. 
But we now show that when some additional conditions are satisfied, the G/s become groups. 
In technical words these are necessary and sufficient conditions to make the presentation of Gj a 
consistent presentation of successive cyclic extensions. In the next proposition, we denote by Xj t k, 
for 1 < k < j < t, the element of Gj with one 1 at the index k (from the right) and zeros at all the 
other indexes. 

Proposition 7. Let 1 < j < t. Suppose that Gj-\ is a solvable group and, if j > 3 ; suppose 
additionally that Gj-2 is a solvable group and <ftj~i is a group automorphism of Gj-2- Assume that 
the following three conditions hold. 

(a) £j-i,fc ° ^j-ij-i = Vj—l,j-l v j-l,k f or all 1 < k < j — 1; and 

(b) 4>j{uj) = Uj; and 

(c) (f)^ (xj-xj) = uj 1 o Xj-ij o Uj for all 1 < i < j — 1. 

Then Gj is a solvable group and cftj is a group automorphism of Gj-\. 



(a,x) Oj (b,y) 
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Proof. If <pj is an automorphism of Crj— i, then Conditions (b) and (c) imply that Gj, as defined in 
Definition^ is a so-called cyclic extension of Gj-i and thus a solvable group (see for example |22l 
Section 9.8]). We will show below that Condition (a) implies that <j)j is an endomorphism of Gj-\. 
Since (f)^™^ is an automorphism of Gj-i from Condition (c), <j)j is thus an automorphism too. 
We now prove that 4>j is an endomorphism of Gj-\. If j = 2, then this is obviously the case: 

(2) 

4>2 is the endomorphism of G\ = (Z TOl ,+) mapping a to av\^ . In the following we suppose that 
j > 3. We first start with a few useful observations. First notice that, for any a and b in 
the equality </>j((a + b, e)) = 4>j((a, e)) o (f)j((b, e)), where e denotes the unity element of Gj-2, holds 
from the definition of <j)j. Also notice that, for any a in Z m _ 1 and any x in Gj-2, the equality 
4>j((a, x)) = (pj((a,e)) o(frj_ 1 (x) holds. 

Any element z £ Gj-2 can be written in the form z = x"^ 1 2 j_ 2 ■ ■ ■ x< j-i i f° r some integers 
ai, . . . , Oj_2- Condition (a) then implies that the equality 

2 = ° v< j-\j-2 ° • • • ° = ° ^J-iO 2 ) 

holds (since </>j_i is an endomorphism of Gj-2 and 4>j-i{xj-i^k) = v j-i,k for any 1 < k < j — 1). 
More generally, for any 6 € ^m j _ 1 and any z € Gj-2, we have 

* o ^-((6, e)) = zo v )_^_ x = v)-^ o ^(z) = ^((6, e)) o ^(z). 

Let a,b be two elements of Z m ._j and x,y be two elements of Gj-2- Putting together the above 
observations we can write 

4>j{{a,x))o(j)j((b,y)) = J -((a,e))o0 i _ 1 (a;)o0 i ((6,e))o^ i _ 1 (y) 

= <M(a,e)) o 4>j{{b,e)) o 4>f^\x) o 
= 0i((o,e)) ocj)j((b,e)) o^j-i{^\{x) oy) 

= ^((a + M^fiW !/)), 

where v = Uj if a + & > mj and u = e otherwise. We conclude that 

(f>j((a,x)) o cf)j((b,y)) = 4>j{(a,x) o (6,y)), 

and thus </>.,■ is an endomorphism of Gj—\. □ 

To illustrate the three conditions of Proposition [71 let us again consider the case where (r, •) is a 
group. Then conditions (b) and (c) hold due to the facts that Uj in Gj-\ corresponds to the element 
hj lj and that <fij corresponds to the automorphism h i— > hj 1 hhj of Hj-\- Condition (a) follows from 
Equation ((21). 

For each j £ {2, . ..,£}, testing that Conditions (a) and (b) hold can be done using a number 
of multiplications in the group Gj-\ polynomial in log |T|. The best known classical algorithm for 
computing products in a solvable group given as a power-conjugate presentation is an algorithm by 
Hofling [12] with time complexity 0(exp((log log \Gj-\ |) 2 )) = 0(exp((loglog |r|) 2 )). Notice that if 

Condition (a) holds then <pj is a homomorphism. Then each term ^ ni \xj—x,i) i R Condition (c) can 
be computed using a number of group products polynomial in log |T| by computing, step by step 
by increasing I from to [logmjj, the values (jr- (xj-i^) for all 1 < k < j — 1. The total time 
complexity of checking that all the Gj's are solvable groups is thus 0(exp((loglog|r|) 2 )). No query 
to the oracle ■ is needed. 
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3.2.4 Test of homomorphism 

We now suppose that the Gj's have passed all the tests of Proposition [7] and thus Gt is a solvable 
group. Let ip be the surjective map from Gt to Ht defined as 

iP(a t , at-i, ■ ■ ■ , 01) = K ■ (ht-i •(•••• ( h T ■ K))- 

We will test whether tp is a homomorphism from to Hf. If (r, •) is a solvable group, then ip is 
an homomorphism by construction. We now show that this test is robust. 

Proposition 8. Let r] be a constant such thatO < n < 1/120. Assume that \Ht\ > 3|G^|/4. Suppose 
that 

~P*x, y eG t [ip(x oy)= %l)(x) ■ ij)(y)) > 1 - rj. (3) 
Then there exists a solvable group Ht that is (211ry|r| 2 ) -close to Ht. 

Proof. From Condition ([3]), Theorem 2 of |10j implies that there exists a group (Ht,*) with \Ht\ < 
\Gt\, and a homomorphism ip : Gt — > Ht such that: 

(a) \Ht\H t \ < 3077|iT t |; 

(b) Vr h h , e6t [h*h' ^h-h'}< 91r/; and 

(c) Pr xeGt $(x)^il>(x)] <30 V . 

Notice that, strictly speaking, Theorem 2 of [lQj is stated only in the case where Ht is a magma, 
i.e., closed under •. This is not the case here because H t may not be a magma, but only a pseudo- 
magma. However, careful inspection of the proof of Theorem 2 of [10] shows that exactly the same 
result holds when Ht is a pseudo-magma too. The distance between Ht and Ht is determined by 
the number of elements being a member of either set and the number of pairs of two elements for 
which the result of the multiplication differ. In particular, this distance has for upper bound the 
cost of the following transform: starting from the table of Hj, we first delete rows and columns 
corresponding to elements in Ht\Ht, insert rows and columns corresponding to elements in Ht\Ht, 
and then exchange multiplication entries which differ between two tables. It follows from (a) and (b) 
that the number of elements in Ht\Ht is less than 30n\Ht \ and the number of pairs (h, h') S E(X Ht 
such that h * h! ^ h ■ h! is less than 91rj\Ht\ 2 . It remains to show that Ht\Ht is small enough too 
and that H t is a solvable group. 

Suppose towards a contradiction that \ip(Gt)\ < \Gt\- Then \ip(Gt)\ < |Gj|/2. From Condition 
(c), we obtain \H t \ = \^{G t )\ < \G t \/2 + 30n\G t \ < 3|G t |/4. This gives a contradiction. Thus 
\ip(Gt)\ = \H t \ = \Gt\ and ip is an isomorphism from Gt to H t . Since Gt is a solvable group, H t 
is solvable too. Since \Ht\ < \Gt\, it also follows that \Ht\ < \Ht\ and thus \Ht\Ht\ < \Ht\Ht\ < 
30n\H t \. 

Deleting \Ht\Ht\ rows and column from the table of Ht costs 

2\Ht\\H t \H t \ - \H t \H t \ 2 < 607]\H t \ 2 . 

Then inserting \Ht\Ht\ rows and columns similarly costs at most 60n\Ht\ 2 too. Thus the distance 
between H t and the solvable group H t is at most [(60 + 60 + 91)n\H t \ 2 ] < 211n\T\ 2 . □ 

More precisely, we perform the following test. We want to test which of Y'r x ^Q[ip(x o y) = 
ip(x) ■ Tp(y)] = 1 and Pr Xj y < zG t [' l P( xo y) = ' V'(y)] ^ 1 — V with 77 = e/422 holds. We take ci pairs 
(x, y) of elements of Gt and test whether they all satisfy ip(x o y) = ip(x) ■ ip{y)- It is easy to show 
that, when taking C2 = 0(r? _1 ) = 0(e _1 ), we can decide which case holds with constant probability. 
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3.3 Correctness and complexity 

We now evaluate the performance of our algorithm. This gives the result of Theorem HJ 
First, suppose that the magma (T, •) is a solvable group. With high probability the set of elements 
taken at step 1 of the algorithm of Figure 1 is a generating set of T and the first algorithm of 
Theorem [S] succeeds on this set. In this case, each of the tests realized at steps 3 to 5 succeeds with 
high probability (since the success probability of Shor's algorithm and of the second algorithm of 
Theorem [S] can be amplified), and then all the tests at steps 6 and 7 succeed with probability 1. 
Thus the global error probability is constant. 

Now, we would like to show that any magma T that is (e|r| 2 )-far from any solvable group is 
rejected with high probability. Take such a magma T. Then Ht is (||r| 2 )-far from any solvable group 
Ht or |r\i?t|/|r| > e/4. This assertion holds because for any solvable group Ht, the inequalities 

e|r| 2 < d(r,H t ) < d(r,H t ) + d(H t ,H t ) hold and d(T,H t ) = 2\r\H t \\r\ - |r\^| 2 < 2|r\# t ||r| 

since Ht C T and the operation is the same. If the latter holds, it should be rejected with high 
probability at test 5. Now suppose that the former holds and that all the steps 1-6 succeed. Then 
with high probability \Ht\ > (1 — e/4)|r| > 3|T|/4 = 3|Gj|/4. From Proposition [8] this implies that 
Pr^gGj [ip(x o y) = ip(x) • ip(y)] < 1 — e/422. This is detected with high probability at step 7. 

The algorithm queries the oracle T a number of times polynomial in log |T| at each of the steps 
1 to 4, and a number of times polynomial in log |T| and e _1 at steps 5 and 7. Additional com- 
putational work is needed at steps 6 and 7 to compute a polynomial number of products in the 
groups GVs. Since each product can be done (without queries) using 0(exp((log log |Gj|) 2 )) = 
0(exp((loglog |r|) 2 )) time using the algorithm by Hofling [12j . the total time complexity of the 
algorithm is polynomial in exp((loglog |r|) 2 ) and e . 
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